Privacy Notice

1. Who we are

supercenter— Nikolaus Redl, Vienna, Austria. VAT ATU82884407. Privacy & security contact: security@supercenter.app.

This notice covers processing under the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG). For content your organization processes through the product, we act as a processoron your organization's instructions; for your account and our website we act as controller as described here.

2. What we process, why, and on what legal basis

• Account identity (name, work email, organization)
  Provide and secure the account · Contract (Art. 6(1)(b))
• Authentication & session data
  Login, security, fraud prevention · Contract; legitimate interests (security)
• Workspace content you process (messages, documents, prompts, tool inputs/outputs, connector data)
  Run the agents and integrations you configure · Processor on customer instructions; the underlying basis is the customer's
• Connector credentials / tokens
  Execute actions in apps you connect · Contract / your authorization
• Agent sessions, transcripts, audit logs
  Execution, security, troubleshooting · Legitimate interests (security, integrity); contract
• Coworker long-term memory
  Persistent assistant memory (Coworkers) · Contract; erasable on request
• Usage & billing data
  Billing, limits, cost reporting · Contract; legal obligation (Art. 6(1)(c), invoicing)
• Support & feedback
  Provide support, improve the product · Contract; legitimate interests
• Website analytics (PostHog, Google Analytics)
  Understand and improve the site · Consent (Art. 6(1)(a)) — set via the cookie banner; withdrawable
• Marketing / contact forms
  Respond to enquiries · Consent / legitimate interests

We do not request special-category data and ask that you not submit it intentionally through the services.

3. AI model providers and how your content is used

When agents run, prompts (which may contain personal data in your content) are sent for inference through the Vercel AI Gateway under zero data retention at the gateway. The gateway routes to model providers — Anthropic, OpenAI, Google, and xAI — under no-training commercial terms: your content is not used to train their models. These providers act as sub-processors of the gateway. We do not train models on customer data either.

4. Who we share data with (sub-processors)

We use vetted sub-processors to run the services: infrastructure (Vercel, Convex), authentication (WorkOS), the AI model gateway (Vercel) and its model providers, the connector layer (Composio), payments (Stripe), email (Resend), coworker memory (Supermemory, for Coworkers), web search (Parallel), analytics (PostHog, Google Analytics — consent-gated) and rate limiting (Upstash).

The current list — with purpose, location and transfer basis per provider — is maintained on our trust center at supercenter.app/trust and is available any time on request via security@supercenter.app. Changes are notified in advance per our Data Processing Agreement. We do not sell personal data.

5. International transfers

We and our sub-processors may process data in the United States and elsewhere. Where data leaves the EEA/UK/Switzerland to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (and the UK/Swiss equivalents), supported by encryption and access controls and a transfer impact assessment. A copy of the relevant safeguards is available on request.

6. How long we keep it

• Account & organization data: life of the account plus 30 days
• Agent session transcripts: ~180 days
• Audit logs: ~400 days
• Usage events: ~90 days
• Coworker memories: life of the install; erasable on request
• Billing records: statutory period (up to 10 years)

On account closure we delete or anonymize your data within 30 days, except where law requires retention. Retention is enforced by automated jobs, not manual cleanup.

7. Your rights

Subject to applicable law, you have the right to access, rectification, erasure, restriction, portability, and objection, and to withdraw consent at any time (for analytics, via “Privacy choices” in the footer) without affecting prior processing.

To exercise these rights, contact security@supercenter.app; we respond within one month. Where we process your data as a processor for an organization, we will direct your request to that organization.

You may lodge a complaint with a supervisory authority. Ours is the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna — dsb.gv.at, dsb@dsb.gv.at.

8. Automated decision-making

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. AI agents operate under your configuration, with human-approval gates on consequential actions.

9. Cookies & analytics

Technically necessary cookies handle authentication, session management and security. Non-essential analytics load only after you consentvia the banner; Global Privacy Control signals are honored as a decline. You can change or withdraw consent any time via “Privacy choices” in the site footer.

10. Data security

Traffic is encrypted in transit (TLS 1.2+); data is encrypted at rest, with connector credentials and tokens additionally encrypted at the application layer (AES-256-GCM). Access is least-privilege with SSO and audited support access; workspaces are isolated per organization; automated monitors verify these controls continuously. Our security posture, subprocessor list and documents are published on the trust center at supercenter.app/trust.

11. Changes

We update this notice when our processing changes and revise the effective date and version above; material changes are highlighted and customers are notified. The published version is authoritative and version-controlled.